homepage_0

Physical security

  1. 1

    Physical_security_Question_1_updated_CMS

    A security layer is a barrier that prevents unauthorised persons gaining access to an area, building or room. Examples of barriers include a reception desk, an entrance gate or a locked room. The application of multiple security layers prevents unauthorised persons gaining access to high-risk materials after passing a single security layer.

    Observation area: surrounding secured area
    Protected area: authorised personnel only
    Vital area: contains high-risk material storage
    High-risk material: in use or in storage

    How many layers of physical security are present to protect high-risk materials in your organisation?

    How many layers of physical security are present to protect high-risk materials in your organisation?

    With a security structure consisting of four layers, high-risk materials, vital area(s), protected area(s), and the observation area are all secured separately. A security structure with multiple layers and barriers to control access prevents unauthorised persons from gaining access to areas with sensitive information, or high-risk materials. It is also recommended to secure barriers with different physical measures.

    Risks

    • All layers are protected using a single physical security measure, for instance an access card.

    Measures

    • By applying different physical measures for each security layer, unauthorized access to (vital) areas can be reduced after a security layer has been breached.

    With a security structure consisting of three layers, high-risk materials, and at least two of the following areas are secured: vital area(s), protected area(s), or observation area(s). A security structure with multiple layers and barriers to control access prevents unauthorised persons from gaining access to areas with sensitive information, or high-risk materials. It is also recommended to secure barriers with different physical measures.

    Risks

    • All layers are protected using a single physical security measure, for instance an access card.
    • Your organisation has three layers of access security. Therefore, the likelihood of an unauthorised person having access to vital areas after passing a single security layer declines. However, one of the four layers is not present or has no barrier, which could leave such layer and thus your organisation vulnerable to intrusion.

    Measures

    • By applying different physical measures for each security layer, unauthorized access to (vital) areas can be reduced after a security layer has been breached.

    With a security structure consisting of two layers, high-risk materials, and at least one of the following areas are secured: vital area(s), protected area(s), or observation area(s). A security structure with multiple layers and barriers to control access prevents unauthorised persons from gaining access to areas with sensitive information, or high-risk materials. It is also recommended to secure barriers with different physical measures.

    Risks

    • All layers are protected using a single physical security measure, for instance an access card.
    • Your organisation has two layers of access security. Therefore, the likelihood of an unauthorised person having access to vital areas after passing a single security layer declines. However, two of the four layers are not present or have no barrier, which could leave such layers and thus your organisation vulnerable to intrusion.

    Measures

    • By applying different physical measures for each security layer, unauthorized access to (vital) areas can be reduced after a security layer has been breached.
    • To ensure that at least one layer of protection remains intact in such situations (e.g. during maintenance), high-risk materials must be secured, an authorised person present, or other additional measures have to be taken into account.

    A single barrier ensures that unauthorised persons have no direct access to vital areas. However, it also makes your organisation vulnerable. When this single barrier is broken, unauthorised persons can gain access to high-risk materials. A security structure with multiple layers and barriers to control access prevents unauthorised persons from gaining access to areas with sensitive information, or high-risk materials. It is also recommended to secure barriers with different physical measures.

    Risks

    • Your organisation has a single security layer. Three out of four layers are not present or have no barrier, which makes your organisation vulnerable.

    Measures

    • By applying various physical measures for each barrier, the likelihood of an unauthorised person gaining access to vital areas after breaking through a single barrier declines.
    • To ensure that at least one layer of protection remains intact in such situations (e.g. during maintenance), high-risk materials must be secured, an authorised person present, or other, additional measures have to be taken into account.

    If no security barriers are present, the premises, buildings and high-risk materials are freely accessible. Stratification and multiple barriers in access security prevent unauthorised persons gaining access to areas with sensitive information or high-risk materials. It is also advisable for the barriers to have different physical security measures.

    Risks

    • Your organisation has no layers of security. Therefore, an unauthorised person has direct access to vital areas, which makes your organisation vulnerable.

    Measures

    • By applying various physical measures for each barrier, the likelihood of an unauthorised person gaining access to vital areas after breaking through a single barrier declines.
    • To ensure that at least one layer of protection remains (vital areas), high-risk materials must be secured, an authorised person present, or other, additional security measures have to be taken into account.

    This question is not applicable

  2. 2

    Fysiek - Vraag 2

    Physical control measures complement present security barriers, and hamper access to high-risk materials by unauthorised persons. To protect high-risk materials, a number of different physical control measures are possible, including: access card readers, PIN codes, intrusion detection, or personalised systems, such as biometric identification systems. By applying different physical control measures for each barrier, surpassing security with a single type of control measure (e.g. access card), limits or prevents access by unauthorised persons to vital areas.

    Are there different physical control measures to protect the barrier(s)?

    Are there different physical control measures to protect the barrier(s)?

    The use of more than two physical control measures can prevent unauthorised access to vital areas. If a single control measure is compromised (e.g. by using a stolen access card), there are still other physical control measures present to prevent unauthorised access to high-risk materials, or vital areas.

    Risks

    • All layers are protected using physical security measures, for instance access cards or keys (something you have), that can be stolen.

    Measures

    Combine at least two of the three items below:

    “Something you have, with something you know and something you are”.

    • Have: access card, key, etc.
    • Know: security code, password, etc.
    • Are: biometrics (fingerprint, iris scan).

      These different physical control measures can be distributed over multiple barriers.

    The following European (EN) and Dutch (NEN) standards (or combined: NEN-EN) are available as well

    • Burglar resistance, requirements and classification, pedestrian doorsets, windows, curtain walling, grilles and shutters NEN-EN 1627:2011.
    • Building hardware, locks and latches, mechanically operated latches and locking plates, requirements and test methods. NEN-EN 12209:2016.
    • Building hardware, cylinders for locks, requirements and test methods: NEN-EN 1303:2015.
    • Building hardware, lever handles and knob furniture, requirements and test methods: NEN-EN 1906:2002.
    • Glass in buildings, security glazing, testing and classification of resistance against manual attack: NEN-EN 356:1999.

    The use of two control measures can prevent unauthorised access to vital areas. If a single control measure is compromised (e.g. by using a stolen access card), there are still other physical control measures present to prevent access to high-risk materials, or vital areas.

    Risks

    • All layers are protected using physical security measures, for instance access cards or keys (something you have), that can be stolen.

    Measures

    Combine at least two of the three items below:

    “Something you have, with something you know and something you are”.

    • Have: access card, key, etc.
    • Know: security code, password, etc.
    • Are: biometrics (fingerprint, iris scan).

      These different physical control measures can be distributed over multiple barriers.

    The following European (EN) and Dutch (NEN) standards (or combined: NEN-EN) are available as well

    • Burglar resistance, requirements and classification, pedestrian doorsets, windows, curtain walling, grilles and shutters NEN-EN 1627:2011.
    • Building hardware, locks and latches, mechanically operated latches and locking plates, requirements and test methods. NEN-EN 12209:2016.
    • Building hardware, cylinders for locks, requirements and test methods: NEN-EN 1303:2015.
    • Building hardware, lever handles and knob furniture, requirements and test methods: NEN-EN 1906:2002.
    • Glass in buildings, security glazing, testing and classification of resistance against manual attack: NEN-EN 356:1999.

    By using a single physical measure, unauthorised persons can gain access to vital areas with a stolen access pass. The use of (at least) two control measures can prevent unauthorised persons from entering vital areas vital areas.

    2c

    Risks

    • All layers are protected using physical security measures, for instance access cards or keys (something you have), that can be stolen.
    • The use of a single physical control measure for all security layers can make your organisation vulnerable.

    Measures

    Combine at least two of the three items below:

    “Something you have, with something you know and something you are”.

    • Have: access card, key, etc.
    • Know: security code, password, etc.
    • Are: biometrics (fingerprint, iris scan).

      These different physical control measures can be distributed over multiple barriers.

    The following European (EN) and Dutch (NEN) standards (or combined: NEN-EN) are available as well

    • Burglar resistance, requirements and classification, pedestrian doorsets, windows, curtain walling, grilles and shutters NEN-EN 1627:2011.
    • Building hardware, locks and latches, mechanically operated latches and locking plates, requirements and test methods. NEN-EN 12209:2016.
    • Building hardware, cylinders for locks, requirements and test methods: NEN-EN 1303:2015.
    • Building hardware, lever handles and knob furniture, requirements and test methods: NEN-EN 1906:2002.

    Glass in buildings, security glazing, testing and classification of resistance against manual attack: NEN-EN 356:1999.

    This question is not applicable

  3. 3

    Fysiek - Vraag 3_0

    In addition to the barriers with accompanying physical control measures, it is important to monitor certain areas in your organisation. This can be accomplished by using security systems or intrusion detection systems, such as cameras, alarms and motion sensors. Security staff can use these systems to control access to your organisation.

    What security system(s) does your organisation have in addition to existing barrier(s) and physical control measures?

    What security system(s) does your organisation have in addition to existing barrier(s) and physical control measures?

    Different security systems, such as electronic alarm systems and security staff, reinforce each other when they operate simultaneously. Security staff can intervene immediately when electronic alarm system are triggered.

    Risks

    • Malfunctioning of security systems or procedures, due to lack of maintenance or testing.

    Measures

    • Alarm systems – intrusion and hold-up systems NEN 50131.
    • Regular tests of control measures and security systems.
    • Intrusion detection with follow-up (by own security service or external security service).

    Different security systems, such as electronic alarm systems and security staff, reinforce each other when they operate simultaneously. If they do not operate simultaneously, the follow up on a triggered electronic alarm system can be a delayed. When camera monitoring is present, it can be useful to store the data as well.

    Risks

    • Malfunctioning of security systems or procedures, due to lack of maintenance or testing. If different security systems do not operate simultaneously, there may be a delay during the follow-up of an incident or accident.

    Measures

    • Alarm systems – intrusion and hold-up systems NEN 50131.
    • Regular tests of control measures and security systems.
    • Intrusion detection with follow-up (by own security service or external security service).
    • Use of zoning, barriers and different physical measures to reinforce each other.

    The presence of a security system, such as an electronic system or security staff, in addition to physical barrier(s) and control measures is highly desirable. If security system(s) are not permanently present on site, these physical barrier(s) and control measures are able to restrict access to high-risk materials or vital areas only periodically.

    Risks

    • Malfunctioning of security systems or procedures, due to lack of maintenance or testing.
    • If surveillance systems are not operational 24/7, an incident cannot be followed-up directly.

    Measures

    • Alarm systems – intrusion and hold-up systems NEN 50131.
    • Regular tests of control measures and security systems.
    • Intrusion detection with follow-up (by own security service or external security service).
    • Use of zoning, barriers and different physical measures to reinforce each other.

    If there is no security system present on site, physical barrier(s) and control measures are the only means to restrict access to your organisation. The presence of a security system, such as an electronic system or security staff, is highly desirable in addition to physical barriers and control measures for direct follow-up of incidents.

    Risks

    • If surveillance systems are not operational 24/7, an incident cannot be followed-up directly.
    • The presence of physical barriers only, and additional security systems are lacking, can make the organisation vulnerable.

    Measures

    • Alarm systems – intrusion and hold-up systems NEN 50131.
    • Regular tests of control measures and security systems.
    • Intrusion detection with follow-up (by own security service or external security service).
    • Use of zoning, barriers and different physical measures to reinforce each other.

    This question is not applicable

  4. 4

    Fysiek - Vraag 4_1

    The organisation is responsible for authorisation and monitoring of people who have access to vital areas or materials. The authorisation system must be up-to-date and adequately managed, in a way that access to certain areas or facilities can be authorised or restricted immediately. Access can also be recorded and monitored. In exceptional situations (e.g. during maintenance) high-risk materials must be secured properly, or an authorised person should be present. Furthermore, additional control measures can be taken to ensure that at least one layer of security remains intact.

    Is actively monitored whether vital areas are accessed by authorized persons only?

    Is actively monitored whether vital areas are accessed by authorized persons only?

    Employee competences are defined and stored in an authorisation system. It is important that this system is up-to-date. Managing, registering and monitoring access enables the identification of undesirable situations, so that appropriate action can be taken. Visitors or external staff is allowed access to a secured area under the supervision of authorised staff only, leaving at least a single barrier intact.

    Risks

    • If the authorisation system is not up-to-date, unauthorised persons (former employees, employees who changed jobs within the organisation, etc.) may still have access to vital areas.

    Measures

    • Ensure that the authorisation system is up-to-date. Grant authorised persons access to vital areas only.
    • Monitor and/or register who has had access to vital areas and at what time (e.g. outside working hours).
    • Monitor and/or register what type of work was carried out (e.g. using a logbook).
    • Ensure that unauthorised personnel are not left alone in vital areas and that at least one barrier to high-risk materials remains intact.
    • Identify and verify undesirable situations, and take additional control measures when necessary.

    Competences of employees are stored in an authorisation system, and it is important that this system is up-to-date. Active monitoring, registering, and controlling access and actions enables the identification of undesirable situations, so that appropriate action can be taken. It is recommended to actively check records of who enters vital areas, and not only in retrospect (e.g. after an emergency or incident has occurred ). Visitors or external staff only receive access to vital areas under supervision of authorised staff, leaving at least a single barrier intact.

    Risks

    • If the authorisation system is not up-to-date, unauthorised persons (former employees, employees who changed jobs within the organisation, etc.) may still have access to vital areas.
    • Without monitoring or registering access, it may go unnoticed who entered which vital areas, and at what time (e.g. outside working hours).
    • Presence of unsupervised visitors or external staff in vital areas can make the organisation vulnerable.

    Measures

    • Ensure that the authorisation system is up-to-date. Only grant authorised persons access to vital areas.
    • Monitor and/or register who has had access to vital areas and at what time (e.g. outside working hours).
    • Monitor and/or register what type of work was carried out (e.g. in a logbook).
    • Ensure that unauthorised personnel are not left alone in vital areas and that at least one barrier to high-risk materials remains intact.
    • Identify and verify undesirable situations and take additional measures.

    Competences of employees are stored in an authorisation system, and it is important that this system is up-to-date. Active monitoring, registering, and controlling access and actions enables the identification of undesirable situations, so that appropriate action can be taken. It is recommended to actively check records of who enters vital areas, and not only in retrospect (e.g. after an emergency or incident has occurred ). Visitors or external staff only receive access to vital areas under supervision of authorised staff, leaving at least a single barrier intact.

    Risks

    • If the authorisation system is not up-to-date, unauthorised persons (former employees, employees who changed jobs within the organisation, etc.) may still have access to vital areas.
    • Without monitoring or registering access, it may go unnoticed who entered which vital areas, and at what time (e.g. outside working hours).
    • Presence of unsupervised visitors or external staff in vital areas can make the organisation vulnerable.

    Measures

    • Ensure that the authorisation system is up-to-date. Only grant authorised persons access to vital areas.
    • Monitor and/or register who has had access to vital areas and at what time (e.g. outside working hours).
    • Monitor and/or register what type of work was carried out (e.g. in a logbook).
    • Ensure that unauthorised personnel are not left alone in vital areas and that at least one barrier to high-risk materials remains intact.
    • Identify and verify undesirable situations and take appropriate measures.

    Your organisation is vulnerable when there is no authorisation and registration procedure for employees gaining access to vital areas. It is advisable to authorise access only to personnel who need to have access to the vital area. Additionally, for security purposes, it is also recommendable to record who has entered the vital area, and to verify this on a regular basis.

    Risks

    • Without monitoring or registering access, it may go unnoticed who entered which vital areas, and at what time.
    • Presence of unsupervised visitors or external staff in vital areas can make the organisation vulnerable.

    Measures

    • Ensure that the authorisation system is up-to-date. Only grant authorised persons access to vital areas.
    • Monitor and/or register who has had access to vital areas and at what time (e.g. outside working hours).
    • Monitor and/or record what type of work was carried out (e.g. in a logbook).
    • Ensure that unauthorised personnel are not left alone in vital areas and that at least one barrier to high-risk materials remains intact.
    • Identify and verify undesirable situations and take additional measures.

    This question is not applicable

  5. 5

    Fysiek - Vraag 5_0

    Intruders can be detected in various ways, for example by alarm systems and security staff. The attitude towards security in your organisation also plays an important role; alertness of staff is of vital importance in detecting intruders.

    Can intruders of your organisation be detected?

    Can intruders of your organisation be detected?

    Security conscious employees make a major contribution to security. Awareness and a positive attitude towards security are vital within an organisation. For instance, tailgating should not be permitted, and strangers should be addressed. It is recommended that employees can report deviant behaviour to supervisors or confidential advisors.

    Risks

    • Despite the present safety culture among employees, intrusion detection and trained security personnel, vulnerabilities may emerge due to changes in your organisation.

    Measures

    • Not applicable.

    Security conscious employees make a major contribution to security. Awareness and a positive attitude towards security are vital within an organisation. For instance, tailgating should not be permitted, and strangers should be addressed. It is recommended that employees can report deviant behaviour to supervisors or confidential advisors.

    Risks

    • Despite the present safety culture among employees, intrusion detection and trained security personnel, vulnerabilities may emerge due to changes in your organisation.
    • Without immediate action by security staff, there is a delay in addressing security incidents.

    Measures

    • Not applicable

    Security conscious employees make a major contribution to security. Awareness and a positive attitude towards security are vital within an organisation. For instance, tailgating should not be permitted, and strangers should be addressed. It is recommended that employees can report deviant behaviour to supervisors or confidential advisors. However, the lack of an alarm or detection systems may leave your organisation vulnerable to intrusion. By combining an alarm system with a follow-up by security staff, intruders can be detected and addressed immediately.

    Risks

    • Despite the present safety culture among employees and trained security personnel, vulnerabilities may emerge due to changes in your organisation.
    • Your organisation is vulnerable to (undetected) intrusion without alarm or detection systems.
    • Without immediate action by security staff, due to a lack of alarms systems, there is a delay in addressing security incidents.

    Measures

    • Install alarm or intrusion detection systems.

    A proper security culture and awareness within an organisation is essential. It is important for individual employees to be security conscious and alert, because observant employees make a major contribution to security. For example, personnel can be alert on tailgating or address strangers, especially in reference to restricted areas. It is recommended that employees can report deviant behaviour to their supervisor or confidential advisor. The lack of security staff may leave your organisation vulnerable to intrusion. Security staff is an addition to the barriers and physical measures present. By combining an alarm system with a follow-up by security staff, intruders can be detected and addressed immediately.

    Risks

    • Despite the present safety culture among employees, vulnerabilities may emerge due to changes in your organisation.
    • Without a security staff present, there is a delay in addressing security incidents.

    Measures

    • Appoint a security staff to your organisation.
    • Ensure that alarm or intrusion detection systems are checked, monitored and followed up by security staff.

    Your organisation is probably vulnerable to intruders due to the absence of systems to detect intruders. When intruders go unnoticed, they can enter vital areas and cause harm. Barriers and physical measures may delay intruders, but it is important that they are also promptly detected. By combining multiple security layers, for example, security staff and (electronic) alarm systems, intruders can be detected and addressed immediately. In addition, a proper security culture and awareness within an organisation is essential as well. Alert employees can make a major contribution to security, for instance, by not permitting tail gaiting, or by addressing strangers.

    Risks

    • Your organisation is vulnerable to intrusion without a security staff, alarm or detection systems.

    Measures

    • Install alarm or intrusion detection systems.
    • Appoint a security staff to your organisation.

    This question is not applicable

  6. 6

    Fysiek - Vraag 6_0

    A positive attitude towards security within an organisation is essential for physical security. Proper physical security works only when it is acknowledged by staff, and physical control measures are used properly.

    How do employees deal with physical control measures such as secured doors, access codes and passes, locks, and passwords?

    How do employees deal with physical control measures such as secured doors, access codes and passes, locks, and passwords?

    Physical security works only when it is acknowledged by staff and access control measures are used properly. An organisation with a positive attitude towards security among employees, not only supports physical security, but employees will be more alert. As a result, undesirable situations will be identified sooner and reported to supervisors, a confidentiality counsellor and/or security staff.

    Risks

    • Absence of a positive attitude toward security and a lack of staff alertness can be a security risk in identifying undesirable situations.

    Measures

    • Train your staff regularly and emphasise the importance of the risks associated with high-risk materials.

    Physical security works only when it is acknowledged by staff and access control measures are used properly. Access passes are personally assigned and may not be shared with others to gain (temporary) access to a particular (vital) area. Tailgating is undesirable, particularly for areas with high-risk materials.

    Risks

    • Absence of a positive attitude toward security and a lack of staff alertness can be a security risk in identifying undesirable situations.

    Measures

    • Train your staff regularly and emphasise the importance of the risks associated with high-risk materials.

    Access passes are personally assigned and may not be shared with others to gain (temporary) access to a particular (vital) area. Tailgating is also undesirable, particularly for areas with high-risk materials. A proper security culture and awareness within an organisation is essential to ensure that control measures are not easily bypassed. Physical security works only when it is acknowledged by staff and access control measures is used properly.

    Risks

    • Absence of a positive attitude toward security and a lack of staff alertness can be a security risk in identifying undesirable situations.

    Measures

    • Train your staff regularly and emphasise the importance of the risks associated with high-risk materials.

    A proper security culture and awareness within an organisation is essential. Physical security works only when it is acknowledged by staff and access control measures is used properly. For instance, functionality of access passes, keys and other security items is lost if they are shared among employees. Therefore, access passes should not be shared with others to gain (temporary) access to a particular (vital) area. Tailgating is also undesirable, particularly for areas with high-risk materials.

    Risks

    • Absence of a positive attitude toward security and a lack of staff alertness can be a security risk in identifying undesirable situations.

    Measures

    • Train your staff regularly and emphasise the importance of the risks associated with high-risk materials.

    This question is not applicable